This topic describes the cause of the Redis cross-site request forgery (CSRF) vulnerability and the security measures available for ApsaraDB for Redis.
CSRF introduction
CSRF (or XSRF), also known as One Click Attack or Session Riding, refers to a malicious exploitation of websites.
The preceding figure shows a simplified model of a CSRF attack. A user visits malicious website B (Website B), and malicious website A (Website A) replies to the user with an HTTP message that requires the user to visit Website B. If the user maintained a trust relationship with Website B, the system assumes that the user personally sent the request to visit Website B and processes the request.
Redis CSRF attack model
Based on the preceding principle of CSRF, a malicious website can require a user to send an HTTP request to Redis. Due to the support for a text-based protocol, Redis does not automatically disconnect after encountering malformed protocol data during protocol parsing. In this case, an attacker can append Redis commands to a normal HTTP request to allow the commands to be run on the Redis server. If no password authentication is configured between the user and Redis, the Redis commands can be directly run. Attackers can exploit this vulnerability to encrypt the data stored in Redis and then demand a ransom for decryption. This attack method is similar to previous ransomware attacks that targeted MongoDB databases.
Kernel fixes
Redis 3.2.7 provides a solution to this issue, which is to log statements that contain the POST and Host: keywords and then close the connection to prevent Redis from running subsequent legitimate commands.
Redis security risks
Earlier versions of Redis exposed a security vulnerability that allows hackers to obtain the root privileges of the Redis service when specific conditions are met. The main reason for this security vulnerability is that users do not have sufficient knowledge about the security mechanism of Redis and are inexperienced in Redis operations and maintenance. In addition, Redis does not provide robust security protection mechanisms. ApsaraDB for Redis provides a more secure Redis service. We recommend that you use ApsaraDB for Redis as the Redis service in the cloud.
Security policies of ApsaraDB for Redis
Connections over an internal network instead of the Internet
ApsaraDB for Redis provides trusted internal access. If you do not apply for a public endpoint, you cannot directly access ApsaraDB for Redis from the Internet.
Physical network isolation
The network in which ApsaraDB for Redis instances are deployed are physically isolated from the network from which you want to access ApsaraDB for Redis instances. You cannot directly access the network of backend servers.
VPC for network isolation
If you are an Alibaba Cloud user and deploy a virtual private cloud (VPC) to connect your services, only the services in the same VPC can access each other.
Whitelists
ApsaraDB for Redis allows you to configure whitelists. You can configure a whitelist of IP addresses that can be used to access an ApsaraDB for Redis instance in the ApsaraDB for Redis console.
Password authentication
ApsaraDB for Redis requires password authentication for instances deployed in the classic network. You can configure a complex password to prevent password cracking.
Permission isolation
ApsaraDB for Redis isolates permissions and accessible directories for each backend instance. The instances can access resources only by using their path to avoid mutual interference.
Disabling of high-risk commands
ApsaraDB for Redis disables specific high-risk system management commands such as config and save. To modify parameters, you must perform two-factor authentication in the ApsaraDB for Redis console. This avoids direct operations on backend configuration files and management commands.
Security monitoring
ApsaraDB for Redis features comprehensive security monitoring for physical machines, regular scans, and updates to security monitoring policies to detect security risks at the earliest opportunity.
Password authentication for cluster instances of ApsaraDB for Redis
Native Redis 3.0 clusters do not support password authentication. ApsaraDB for Redis cluster instances support password authentication for enhanced security.